The Revolution Will Be Written in Delphi

By: Dennis Schwarz -

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

Rev MD5 C&C URL C&C IP
1 06d8da1e14cff81ca2fad02d2a878c72 http://userhaos.ru
/113/bot/gate.php
91.105.232.105
2 c9c6aeacee9f973ca0ca5da101a12a16 http://ergoholding.ru
/rev/gate.php
91.204.122.100
2.5 7141cacc3f4a191015a176947a403b79 http://clfrev.ru
/rev/panel/gate.php
93.170.130.112
3 eae553d72142f9dcb06c5c134015fe7a http://ergoholding.ru
/ddd/gate.php
91.204.122.100

The programming language used is Delphi (networking support via the Synapse library), PEiD detects it as version “6.0 – 7.0″ and the Interactive Delphi Reconstructor (IDR) confirms version 7.

As an aside, the latter tool’s IDC Generator helped significantly in reverse engineering these binaries in IDA Pro, thanks much!

Based on the Delphi usage, command and control locations, and the language references in some of the HTTP headers, the nationality of this family is empirically Russian. But, as with all malware attribution, this is highly speculative. It is also unclear whether a single threat actor has access to the source code or whether the code has been released or leaked and multiple actors are making modifications.

Revision 1

Revision 1′s command and control (C&C) is HTTP based. Bots register to the C&C using a request like this:

GET /113/bot/gate.php?reg=lemaaapuzg HTTP/1.0
Host: userhaos.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The reg parameter value is set to 10 random lowercase letters.

Here is how bots poll for commands:

GET /113/bot/gate.php?cmd=urls HTTP/1.0
Host: userhaos.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The C&C will respond with a “|” delimited message:

command|unknown_integer|unknown_integer2|target|query string or port|

Identified commands:

  • stop – stop attack
  • die – terminate bot process
  • sleep – sleep for one hour
  • http – HTTP GET request flood #1
  • simple – HTTP GET request flood #2
  • loginpost – HTTP POST request flood #1
  • datapost – HTTP POST request flood #2

The following DDoS attacks are implemented in this revision.

Attack – http

A HTTP GET request flood. Here is a sample request:

GET /index.html HTTP/1.1
Host: victim.com
Keep-Alive: 266
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset:twindows-1251,utf-8;q=0.7,*;q=0.3
Referer: http://victim.com/
Cookie:tPHPSESSID=t0gmf00id9bp4j9gvfsq87kq22; hotlog=1; __utma=226332163.1894789553.1362397126.1362926988.1363866277.4;

__utmb=226332163.1.10.1363866277; __utmc=226332163; __utmz=226332163.1362397126.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

The Keep-Alive header will be set to a random integer between 0 and 300. The rest of the headers are static.

Attack – simple

A barebones HTTP GET request flood. It uses Synapse’s default GET request and looks like this:

GET /index.html HTTP/1.1
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

Attack – loginpost

A HTTP POST request flood. The POST request will look like:

POST /index.html HTTP/1.0
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: text/html
Content-Length: 25

login=gxt1$pass=svw3re1aq

The login and pass parameters are separated by the “$”. Both values are set to random lowercase letters and digits. The lengths will be chosen randomly between 0 and 15 characters each.

Attack – datapost

A HTTP POST request flood. A sample request:

POST /index.html HTTP/1.0
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: text/html
Content-Length: 895

r8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsj

For the POST data, a string of lowercase letters and digits is generated. The length will be randomly chosen between 0 and 150. This string will then be repeated 179 times.

Revision 2

Revision 2 of Trojan.BlackRev modifies the C&C communications slightly. The reg parameter is set to 15 random lower and uppercase letters and it uses the following User-Agent:

User-Agent: Mozilla/4.0 (SEObot)

The following layer 4 attack commands were added:

  • syn – TCP connection flood
  • udp – UDP flood #1
  • udpdata – UDP flood #2
  • data – TCP flood
  • icmp – ICMP echo request floods

This revision implements revision 1′s http, simple, loginpost, and datapost attacks with the only difference being that in the latter three, the User-Agent used is:

User-Agent: Mozilla/4.0 (SEObot)

The following are the details of the additional DDoS attacks.

Attack – syn

Per the name, this is supposed to be a TCP SYN flood, but behind the scenes, a TCP connection flood is implemented–complete 3-way handshake.

Attack – udp

A UDP flood where the payload is 16 “F”s.

Attack – udpdata

A UDP flood where the payload is 100 random lowercase letters.

Attack – data

A TCP flood. For the payload, a string of random lowercase letters with a random length of 0 to 100 is generated. This string is repeated 172 times. The concatenated string is then repeated again 35 times.

Attack – icmp

An ICMP echo request or Ping flood. The payload is 44 “7″s.

Revision 2.5

C&C-wise, revision 2.5 is very similar to revision 2. It changes the following commands:

  • http
  • udp
  • udpdata
  • data

This revision adds:

  • tcpdata – TCP flood #1
  • dataget – HTTP GET request flood
  • connect – TCP flood #2
  • dns – resolve IPs

Attack – http

Example request:

GET /index1.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 176
Connection: keep-alive
User-Agent: Android-x86-1.6-r2 - Mozilla/5.0 (Linux; U; Android 1.6; en-us; eeepc Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.3
Referer: https://www.google.ru/#hl=ru&gs_rn=9&gs_ri=psy-
ab&tok=TBFEIC6g9ZD8TLHI_O_qEw&cp=5&gs_id=i&xhr=t&q=www.victim1.com&es_nrs=true&pf=p&newwindow=1
&safe=off&output=search&sclient=psy-
ab&oq=site.&gs_l=&pbx=1&bav=on.2,or.r_cp.r_qf.&bvm=bv.45175338,d.bGE&fp=364d6440e7471a0b&biw=
1360&bih=624
Cookie: PHPSESSID=66lf4vv9l8W7engCw6hFmLWShuKAMMuqJICAxiLekLrmAnnmiJ

The Keep-Alive header will be set to a random number between 0 and 300. The Cookie header will be set to “PHPSESSID=” with a value of 50 random uppercase, lowercase, and digits. This revision selects a random User-Agent out of the following 11 possible:

  • Yandex/1.01.001 (compatible; Win16; I)
  • Yandex/1.01.001 (compatible; Win16; P)
  • Yandex/1.02.000 (compatible; Win16; F)
  • Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
  • Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)
  • StackRambler/2.0 (MSIE incompatible)
  • StackRambler/2.0
  • Android-x86-1.6-r2 – Mozilla/5.0 (Linux; U; Android 1.6; en-us; eeepc Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2
  • Samsung Galaxy S – Mozilla/5.0 (Linux; U; Android 2.1-update1; ru-ru; GT-I9000 Build/ECLAIR) AppleWebKit/530.17 (KHTML, like Gecko)
  • Samsung Galaxy Tab 10.1 Android 3.1 – Mozilla/5.0 (Linux; U; Android 3.1; en-us; GT-P7510 Build/HMJ37) AppleWebKit/534.13 (KHTML, like Gecko)
  • Blackberry OS ?? 4.2 ?? 5 ?????? ? BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/179

The rest of the headers are static, including the very specific Referer.

Attack – udp

The UDP payload is interesting. It is 76 bytes in length, and looks like tcpdump output:

[udp sum ok] 60865 FormErr% [0q] 0/0/0 (12) (DF) (ttl 253, id 9987, len 40)

ASERT team member Matt Bing speculated that it might have been copied and pasted from the tcpdump output in this 2005 article on “Understanding the UDP Protocol”

Attack – udpdata

The payload in this variant is 342 “F”s.

Attack – tcpdata

This is a new attack, a TCP flood. The payload is generated like this: a string of 100 random lowercase letters is generated. This string is repeated 172 times. Then, the concatenated string is repeated 35 times.

Attack – data

The data command was changed to launch both the udpdata and tcpdata attacks.

Attack – dns

Repeatedly tries to resolve the target IP via gethostbyaddr() function calls.

Attack – dataget

A new HTTP GET request flood. Example request:

GET /index10.html?
xf29jgj0jwnpl7ivtp4gkrelbj6dm4qsg7x62x7c3u17k9mrpd6k8bgwcpmdrhykhyi8fhcxj5ry0jbwjgo1tqb7645m9ix27
jk9dx1lgq9uj89dme0fp8b0wrknmnk9yieybrhpsd005s5hpwerv1=xf29jgj0jwnpl7ivtp4gkrelbj6dm4qsg7x62x7c3u1
7k9mrpd6k8bgwcpmdrhykhyi8fhcxj5ry0jbwjgo1tqb7645m9ix27jk9dx1lgq9uj89dme0fp8b0wrknmnk9yieybrhpsd00

5s5hpwerv1$....more of the same... HTTP/1.1
Host: www.victim10.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (SEObot)

The query string is quite long; it is constructed like this: a string of 150 random lowercase letters and digits is generated. This string is used for 18 name/value pairs. At the end, an additional name/value pairs is added where the values is the random string repeated 53 times. Each name/value pair is separated by a “$”.

Attack – connect

A new attack, a TCP flood. On each send() iteration a string of 10 random lowercase letters is generated and appended to the previously generated string. A newline is concatenated to the end.

Revision 3

Revision 3 changes things up a bit. The analyzed binary phones home to the same C&C domain and IP as revision 2, but bot registration now looks like this:

GET /ddd/gate.php?id=idbucwehjhhgjjxxe HTTP/1.0
Host: ergoholding.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The id parameter will be set to “id” plus 15 random lowercase letters.

Commands in this revision are polled via:

GET /ddd/get HTTP/1.0
Host: ergoholding.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The C&C response is still pipe delimited, but different:

command|number_of_packets_to_send|URL, IP, hostname, or stop

There are some deletions, additions, and changes to the command set.

Commands removed:

  • die
  • sleep
  • syn
  • udpdata
  • tcpdata
  • data
  • dataget
  • connect

Commands added:

  • exec – download and execute
  • resolve – hostname resolution flood
  • antiddos – HTTP GET request flood — favicon.ico
  • range – HTTP GET request flood — Range header
  • ftp – FTP connection flood
  • download – HTTP GET request flood
  • fastddos – HTTP GET request flood — WinInet functions
  • slowhttp – HTTP GET request flood — possible Slowloris attempt
  • allhttp – launches multiple HTTP floods
  • full – launches multiple floods

Commands changed:

  • http
  • simple
  • loginpost
  • datapost
  • udp

Commands that stayed the same:

  • icmp
  • dns

Below are revision 3′s attacks.

Attack – http

The http attack changed. It is now a HTTP GET and POST flood. The GET request:

GET /index.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 162
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim1.com/index.html

And the POST:

POST /index.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 162
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim1.com/index.html
Content-Length: 87664

In both, the Keep-Alive header will be set to a random number between 0 and 300. In the POST, the Content-Length header is set to a random number between 0 and 300,000

Attack – simple

The simple attack is slightly different:

GET /index.html HTTP/1.1
Host: www.victim2.com
Connection: close
User-Agent: Opera/9.80

The User-Agent header looks to be a copy and paste typo. This User-Agent is used in some additional attacks as well.

Attack – loginpost

In addition to the below POST request, a simple flood is also started.

POST /index.html HTTP/1.1
Host: www.victim3.com
Connection: close
User-Agent: Opera/9.80
Content-Type: text/html
Content-Length: 28

login=g84lkvpk&pass=uOjzq9FJ

Slight differences: the parameters are separated by a “&” instead of a “$” and the values are each set to eight random lowercase letters and digits.

Attack – datapost

A POST request where the data is 100 random lowercase letters.

POST /index.html HTTP/1.1
Host: www.victim4.com
Connection: close
User-Agent: Opera/9.80
Content-Type: text/html
Content-Length: 100

bulwmxcytltvczbrgqoedffycczkyedrmoczlkhgjghmwdnveinkkzgncvtojsxhlchddzebspuwcsdeydalowdcewdxrllgzvvt

Attack – udp

The UDP flood routine no longer uses the Synapse Library in this revision. Winsock is used instead. Port 80 is hardcoded and the payload is only two “F”s.

Attack – resolve

Repeatedly tries to resolve the target hostname via gethostbyname() function calls.

Attack – antiddos

A HTTP GET request flood. Two requests are sent on each iteration, the first one being:

GET /index.html HTTP/1.1
Host: www.victim2.com
Keep-Alive: 150
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim2.com/index.html

The second:

GET /index.html/favicon.ico HTTP/1.1
Host: www.victim2.com
Keep-Alive: 47
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto3e45h4rlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim2.com/index.html

The Keep-Alive header is set to a random number between 0 and 300. favicon.ico is automatically added in the second request.

Attack – range

A HTTP GET request flood with a Range header. Possibly an attempt at an ARME/Apache Killer style attack. Sample request:

GET /index.html HTTP/1.1
Host: www.victim4.com
Connection: close
Range: bytes=41-73915
User-Agent: Opera/9.80

The Range start value is a random value between 0 and 100. The stop value is a random value between 0 and 100,000.

Attack – ftp

A FTP connection flood. A sample session:

200 OK
USER 7g6jo5ircx
331 password
PASS s1pvu9yx0r
200 OK
TYPE I
200 OK
STRU F
200 OK
MODE S
200 OK
REST 0
200 OK

The USER and PASS will both be set to 10 random lowercase letters and digits.

Attack – download

A basic HTTP GET request flood:

GET /1.exe HTTP/1.0
Host: www.victim7.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

Attack – fastddos

A HTTP GET request flood using the WinInet functions:

GET /index.html HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: google
Host: www.victim8.com
Cache-Control: no-cache

Notice the interesting User-Agent.

Attack – slowhttp

A HTTP GET request flood. Possibly an attempt at a Slowloris attack, but it is not slow at sending data. Here’s what the request looks like:

GET /9.html HTTP/1.0
Host: www.victim9.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)‘=

Attack – allhttp

Launches the following attacks:

  • simple
  • http
  • range
  • loginpost
  • download
  • datapost

Attack – full

Launches the following attacks:

  • icmp
  • udp
  • datapost

Miscellaneous

Besides the C&C and DDoS attacks there are some additional differences and features among the revisions:

  • All four revisions spawn a thread that tries to maintain a small memory footprint via calls to SetProcessWorkingSetSize().
  • Revisions 1 and 2.x try to revoke discretionary access control list (DACL) rights to its binary.
  • Revisions 1 and 2.x enumerate a bunch of directories and then removes files and kills processes based on some tests. The referenced analysis below indicates this might be “botkiller” code.
  • Revision 2.x verifies the embedded C&C by calculating a hash on the URL and comparing it to a hardcoded hash value.
  • Revision 2.x has some built-in monitoring/debugging functionality where the attack commands are echoed back to the C&C via a HTTP GET request to monitor.php.
  • Revision 3 was the first binary to be packed–UPX.
  • Revision 3 maintains persistence via the Registry Run method.
  • The code organization and layout of revision 3 also differs a bit from the other three.

Most of these code paths were glossed over during reversing and a detailed analysis of them are left as an exercise for any interested readers. There is a Russian language malware analysis of revision 2 by the “onthar.in Malware Research Laboratory” that takes a closer look at some of the above and also at an associated dropper malware. It is available at http://onthar.in/articles/black-revolution-ddos-bot-analysis/ (Google Translate does an okay job.)

ASERT has been using the following YARA rule to detect this malware family in our malware zoo:

// blackrev

// Dennis Schwarz, Arbor Networks ASERT
// April 2013

rule blackrev
{
strings:
$base1 = "http"
$base2 = "simple"
$base3 = "loginpost"
$base4 = "datapost"

$opt1 = "blackrev"
$opt2 = "stop"
$opt3 = "die"
$opt4 = "sleep"
$opt5 = "syn"
$opt6 = "udp"
$opt7 = "udpdata"
$opt8 = "icmp"
$opt9 = "antiddos"
$opt10 = "range"
$opt11 = "fastddos"
$opt12 = "slowhttp"
$opt13 = "allhttp"
$opt14 = "tcpdata"
$opt15 = "dataget"

condition:
all of ($base*) and 5 of ($opt*)
}

Conclusion

As we have seen, Trojan.BlackRev is very much a DDoS-specific bot with a rich set of attacks. There are certainly signs that circa April 2013 the code was under active development and the associated campaigns were likely test runs. In addition, the onthar.in analysis notes that they haven’t seen this malware being sold on the underground forums yet. It will be interesting to see how this family will evolve and how active it will become in the wild.

Estonia, six years later

By: Dan Holden -

In April 2007, the Estonian government decided to relocate the Bronze Warrior, a Soviet World War II memorial located in Tallinn, as well as the remains of some Soviet WWII soldiers buried nearby.

This decision caused great offense in Russia, starting at the top. Russian president Vladimir Putin said, “I find that this is an absolutely short-sighted policy, extremist-nationalist, which does not take into consideration the history connected with the fight against Nazism or today’s reality.”

Russia’s foreign minister Sergei Lavrov said Estonia had a “blasphemous attitude towards the memory of those who struggled against fascism.”

Within weeks, the country of Estonia was offline, taken down by a botnet-fueled distributed denial of service (DDoS) attack. This attack impacted both the government and the private sector.

The attacks begin….

Within days of the Estonian government decision, a series of sustained DDoS attacks against Estonian Web properties began.

Estonia’s defense minister at the time, Jaak Aaviksoo, told Wired Magazine:

The attacks were aimed at the essential electronic infrastructure of the Republic of Estonia,” Aaviksoo tells me later. “All major commercial banks, telcos, media outlets, and name servers — the phone books of the Internet — felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation.”

Two weeks into the attack, Arbor Networks senior security researcher at that time Jose Nazario posted a detailed analysis on our blog, writing,

“All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years.”

Within the first two weeks, our Internet-wide threat monitoring system, ATLAS, saw at least 128 separate attacks on nine different Web sites in the country, including 35 attacks against the Estonian police, another 35 attacks against the Ministry of Finance and 36 against the Estonian parliament, Prime Minister as well as other general government Web properties.

  • Attack bandwidths ranged from under 10 Mbps to 95 Mbps, with the majority in the 10-30 Mbps range
  • 75 percent lasted no longer than one hour and 5.5 percent, over 10 hours

So does the speculation….

A high profile disagreement between leaders of Estonia and Russia, followed immediately by a cyber-attack against Estonian Web sites? Well, that can only mean one thing, CYBERWAR!!!

Headlines from May 2007:

Estonia: Ground Zero for World’s First Cyber War?

Estonia hit by ‘Moscow cyber war’

Russia accused of unleashing cyberwar to disable Estonia

Slippery Slopes: Attribution and Semantics

One thing that certainly has not changed since the Estonia incident is that hurried analysis, and attempts at instant attribution, are very rarely accurate.

While the headlines said “cyberwar,” the data that we saw at the time said something else, and that is digital attribution regardless of motive can be extremely difficult. These attacks, like many before and since, were widely distributed around the world. In fact, many of the attacks originated from the United States and elsewhere. There was significant chatter and sharing of attack tools on Russian language Web sites.

Arbor’s ATLAS system and subsequent analysis showed signs of Russian nationalism at work, but no Russian government connection. The sources we analyzed from around the world did not show a clear line from Moscow to Tallinn; instead, it was from everywhere around the world to Estonia. Additionally, we noted at the time that targets were high-profile Web properties, not critical national infrastructure.

As so often happens, after the flurry of initial speculation, the facts settle and the truth comes out, and usually with more than a little snark.

wired

Estonia ‘Cyberwar’ Wasn’t

Sadly, this dashes THREAT LEVEL’s hopes of seeing our own made up infowar term on a CNN graphic.  Since we put it out a week ago, a few more hyperbolic cyberterror gems have surfaced in the coverage of the Estonia packet floods — The First War in Cyberspace!The Future Of Warfare! (exclamation points added) — but the only writer to adopt our Cybarmageddon! was Bruce Sterling.  We’ll let you know if it turns up in his next novel.

There is also a lot of confusion around the term “cyberwar.” What does that mean exactly? One country attacking another seems obvious, but in what respects, what targets, and to what degree? What about when a country leverages experts in the field, as it would with defense contractors, to develop tools and capabilities? Just as there is collaboration between the government and the private sector to develop traditional defense systems and hardware, we must by now realize that the same type of public-private collaboration is happening around the world with regard to cyber capabilities, both defensive and offensive.

I’ll leave the question of what defines a “cyberwar” for others with more patience than I to wax intellectual. What I do know is that geopolitics absolutely shapes the threat landscape and the Internet as we know it today.

Regardless of terminology, we have seen some high profile stories since Estonia. Here are but a few examples that we know about:

April 27, 2007: Attacks on Estonia begin

Week of June 15, 2008Ukraine put under DDoS attack due to NATO protests

August 5, 2008, three days before Georgia launched its invasion of South Ossetia, the Web sites for OSInform News Agency and OSRadio were hacked. Arbor estimates these attacks were in the 814 Mbps range, significantly (at that time) larger than the Estonian DDoS attacks the year before. 

December, 2008 – January, 2009: Israel launched an attack named Operation Cast Lead against the Palestine National Authority. The fighting between the Israeli Defense Forces and Hamas included cyber-attacks against government Web sites and media outlets and involved both State and Non-State actors.

December, 2009 – April, 2010: In the months of unrest leading up to Kyrgyzstan’s second Tulip revolution, the technical unit of Kyrgyzstan intelligence cracked the email account of Gennady Pavlyuk, a leading dissident journalist, to obtain specific data on a project of his, then lured him to Kazakhstan under the pretense of meeting angel investors and killed him.

June 2010: Iran was the victim of a cyber attack when its nuclear facility in Natanz was infiltrated by the now very well-known cyber-worm ‘Stuxnet’.

November 2, 2010: Burma was the victim of a cyber-attack caused by a rapidly escalating, large-scale DDoS  attack targeting Burma’s main Internet provider, the Ministry of Post and Telecommunication (MPT), disrupting most network traffic in and out of the country.

January 2011: Tunisia’s Jasmine Revolution which resulted in the overthrow of a corrupt government, included violent protests and the hacking of user names and passwords for the entire online population of Tunisia by AMMAR, the country’s government-run Internet Services Provider (ISP).

January-February 2011: Egypt and Libya are taken offline entirely by their governments.

June 2011: Chinese and Vietnamese attackers started a cyber war over the territorial dispute on the ownership of the Spratly Islands in the South China Sea. 200 Vietnamese Web sites were attacked in June, and 10 percent of those Web sites were managed by government agencies; the attack disabled all the links on these Web sites and placed China’s flag at the center of the page.

March 20, 2013: S. Korean is targeted by N. Korea in series of cyberattacks and impacting 48,000 computers and servers, hampering banks for two to five days.

April 21, 2013: The U.S. military is increasing its budget for cyber warfare and expanding its offensive capabilities, including the ability to blind an enemy’s radar or shut down its command systems in the event of war, according to two defense officials.

May 2013: A new wave of attacked targeting U.S. energy companies begins, rumored to be driven out of the Middle East. Unlike typical cyberattacks that attempt to obtain confidential information, steal trade secrets and gain competitive advantage, these new attacks seek to destroy data or to manipulate industrial machinery and take over or shut down the networks that deliver energy or run industrial processes.

Again, I’ll leave it to others to debate the semantics of cyberwar. What I do know is that cyberspace is a legitimate battle space. The ongoing attacks against global financial services firms are a great example of how this impacts our business and day-to-day lives. Those attacks have been sustained for over six months, with no end in sight. They are being funded at some level, by someone or some group with very serious motivation that would be difficult to keep going with what we know of traditional hacktivism. We can speculate all day long about who might be behind these attacks but I’d suggest we leave that to others and focus on learning lessons and building better defenses. In this changing geo-political driven environment, understanding the ‘who’ can be near impossible with only digital attribution, but attempting to understand the potential motivation behind attacks can help to better gauge risk to your organization. What has really changed since Estonia? The fact that this type of attack today wouldn’t be nearly as surprising as it was in 2007.

 

Syria taken offline

By: Darren Anstee -

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing and botnets that threaten Internet infrastructure and services. The information is aggregated, analyzed and fed back to our customers via our product deployments.

You can clearly see the traffic we are tracking for Syria drop to virtually 0 at 2000 UTC on the graph.  This will be approximately 1 hour after the drop happened in the ‘real’ world given that ATLAS participants only report hourly.

 

We’ve seen entire countries in the Mideast taken offline before. Here is a look back to January-February 2011 and Egypt,

Egypt Returns

 

 

 

 

 

 

Digging Through an “Administrative Network Stressor” Provider’s Database

By: Dennis Schwarz -

On March 15, 2013, Brian Krebs of Krebs on Security wrote “The World Has No Room For Cowards.” In it, he writes a fascinating story about a DDoS attack against his site and also a physical attack against his person. The part where Krebs’ notes that “… there are strong indications that a site named booter.tw may have been involved in the denial-of-service attack on my site yesterday. For some bone-headed reason, the entire customer database file for booter.tw appears to be available for download if you happen to the [sic] know the link to the archive” stood out to me. booter.tw advertises itself as “The Ultimate Administrative Network Stresser [sic] Tool.”

blog image 1

As a security researcher, getting access to a database dump associated with an incident is always interesting. An earlier version of the Krebs’ article linked to the database file, so the following are some quick bits and pieces I pulled out of it. Here is a geo IP location map of the ‘lastip’ field of the ‘users’ database table. The assumption here is that these are the last login IPs for the 312 users of the service. It is important to note that proxies, VPN services, the Tor network, and other IP anonymizing services come into play here and the IPs might not trace back to a user’s actual physical location.

 

blog image 2

The ‘attacks’ database table contains attacks from January 23, 2013 to March 15, 2013. There were 48,844 entries. Resolving hostnames and parsing out some junk IPs, close to 11,000 unique IPs were targeted. Here is a geo IP location map of the IPs.

blog image 3

 

The targeted IPs roughly map into the following organization types.

blog image 4

Assuming the ‘duration’ field is in seconds, the average attack duration was 34 minutes. Here is a breakdown of the different attack types:

blog image 5

This posting was a quick visualization of some of booter.tw’s database data as referenced by Krebs. I am glad that he and his family were unharmed during the associated “SWAT”ing attack and I look forward to reading his updates on this fascinating story.

Scavenging Connections On Dynamic-IP Networks Redux

By: Dennis Schwarz -

While a lot has changed since Seth McGann’s 1998 Phrack magazine article “Scavenging Connections On Dynamic-IP Networks,” it’s not hard to extrapolate his idea into modern day malware sinkholes. In this blog post we would like to share some of the connections scavenged over a short period from the No-IP dynamic DNS network–a network we run into time and time again in our malware analysis.

Malware campaigns have not been shy about using these and other dynamic DNS hostnames for their command & control (C&C) servers. With the price (free), dynamic nature, and anonymity (throw-away email addresses and proxies) it’s not hard to see the appeal. Using available APIs, malware authors are building in support directly into their bot builder kits as well.

no-ip

 No-IP support built-in to the Xtreme Remote Access Trojan (RAT)

Querying our malware zoo for the main free tier domain (no-ip.org) returns almost 6500 unique subdomains. As of this writing, about 4200 (64%) of these no longer resolve and are expired. As a proof of concept, we re-registered 100 of these sub-domains (see Appendix A) and in 4 groups of 25 sinkholed them for 3-4 days at a time. We used a simple sinkhole that redirected all TCP ports minus SSH (22) to a Python daemon that limited the connection time to 5 seconds and logged the first 2048 received bytes.

Disregarding general Internet background noise (hi critical.io, proxy scanners, and SQL Slammer), we received connections from around 6650 unique IPs distributed across the globe.

map

Map of source IPs connecting to a two-week sinkhole of 100 no-ip.org domains

Considering the low number of domains that were registered, many surprises and concerns cropped up. The sheer number of unique sources, geographical distribution, amount of traffic generated by abandoned bots (close to 7 GB of PCAP data), and the variety of malware families was interesting and insightful. There was good representation of both ASCII and binary blob communications, but the latter was more prevalent. The number of HTTP based phone homes was also lower than expected. Further analysis reveals the following interesting elements.

Xtreme RAT

There were two types of phone homes. The first includes a version string and we saw 2.9, 3.1, 3.2, and 3.5 Private (as of this writing, 3.6 is the latest publicly available). The second type of phone home message includes the password used in the campaign and we saw 123123, 87080060, and 1234567890 (default).

Type 1 (130 unique IPs)

myversion|2.9

Type 2 (57 unique IPs)

GET /1234567890.functions HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; 
SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center 
PC 6.0; InfoPath.2; .NET4.0C)
Host: XXX.no-ip.org:8089
Connection: Keep-Alive
Cache-Control: no-cache

DarkComet

Two types of phone homes were seen.

Type 1 (54 unique IPs)

D573BA5A4EFFC3FB629308

Type 2 (215 unique IPs)

KEEPALIVE8404156

Various IRC Bots (325 unique IPs)

As expected, IRC based bots were well represented. Some sample nicknames:

  • [iRooT-XP-CRI]702619
  • ESP|00|XP|SP3|8254484
  • {00-ITA-2K-ASP–6618}
  • ScAry0518258
  • pwned[00000]

Turkojan (75 unique IPs)

ams

CIA Trojan (3 unique IPs)

details;6333;Administrator;HOME;name;CIA 1.3;No;name

GhostHeart2 (2 unique IPs)

Starting at offset 13, zlib chunk.

00000000  47 68 30 73 74 61 00 00  00 b0 02 00 00 78 9c 4b Gh0sta.. .....x.K
00000010  63 60 60 98 03 c4 ac 40  cc 04 c4 e7 f8 20 f4 40 c``....@ ..... .@
00000020  02 0b 28 2d c4 c8 cc f0  81 0b e2 9e 03 2b 18 78 ..(-.... .....+.x
00000030  f2 72 72 93 49 35 ab 9c  91 81 e1 1e 2f 03 c3 17 .rr.I5.. ..../...
00000040  20 6d 64 60 68 84 2e 6f  7c e6 0d a5 ce 1d 05 54  md`h..o |......T
00000050  04 47 d6 9c 38 bf fd da  f5 97 b8 e4 01 82 d8 11 .G..8... ........
00000060  ac
.

MyRat (16 unique IPs)

Starting at offset 13, looks like a zlib chunk.

00000000  4d 79 52 61 74 b8 00 00  00 24 01 00 00 78 9c 4b MyRat... .$...x.K
00000010  8b 33 61 9a c3 c0 c0 c0  0a c4 8c 40 ac c1 c5 c0 .3a..... ...@....
00000020  c0 04 a4 83 53 8b ca 32  93 53 15 02 12 93 b3 15 ....S..2 .S......
00000030  8c 19 18 ae c4 98 30 fd  60 40 00 90 da 1b 46 4f ......0. `@....FO
00000040  18 5a 7d 67 17 86 c4 9a  80 b4 30 74 4a cd 2f 04 .Z}g.... ..0tJ./.
00000050  a9 b1 b0 16 66 c8 60 80  e8 61 66 80 98 07 52 cf ....f.`. .af...R.
00000060  06 c4 02 50 8c 02 14 a0  18 aa ee 25 50 13 33 98 ...P.... ...%P.3.
00000070  c3 c8 70 60 05 a3 e9 32  a0 e0 22 a8 bb 18 8a 0b ..p`...2 ..".....
00000080  52 53 53 d0 0d c0 0e fe  b3 33 30 5c 04 ea cd ae RSS..... .30....
00000090  48 2d 4e ce 2f 4a 65 00  ba 6b 81 2a 44 6e 31 d0 H-N./Je. .k.*Dn1.
000000A0  df 30 3b 97 dd de 70 6a  49 f8 de d2 a5 2e fb be .0;...pj I.......
000000B0  63 33 07 00 3f 40 28 73                          c3..?@(s

YoyoDDoS (471 unique IPs)

0xb8 variant.

00000000  79 6d 74 d8 68 90 95 8e  8f 8d d0 84 8d d1 d8 c1 ymt.h... ........
00000010  c6 c5 c8 d8 69 85 99 94  cd 7b 8f 8a 95 d8 68 8a ....i... .{....h.
00000020  8f 9b 95 8b 8b 8f 8a b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000030  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000040  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000050  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000060  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000070  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
00000080  cb cb ca c7 6d 7a b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ....mz.. ........
00000090  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
000000A0  67 91 8e d8 60 68 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 g...`h.. ........
000000B0  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
000000C0  e8 59 3c 56 3c 56 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 .Y<V
000000D0  b8 b8 b8 b8 b8 b8 b8 b8  b8 b8 b8 b8 b8 b8 b8 b8 ........ ........
000000E0  e1 b7 b8 b8                                      ....

Trojan.DDoser (5 unique IPs)

Base64 encoded.

*SNEW*/2||*||RGVmYXVsdA==||*||Uk8=||*||NC4y||*||WFAgeDg2||*||name||*|
|QVVUSExPQURFUkRFRkFVTFQ=||*||

Spy-Net RAT (19 unique IPs)

Base64 encoded.

hZGVPsqmMkI|

Unknown #1 (2 unique IPs)

104|OnConnect|United States|me|name - me|172.16.3.44|Not Detected|4.0.4 Update 2
|United States|OnConnect|

Unknown #2 (2 unique IPs)
Two version numbers were seen: 4.0 and 6.0.

LOGIN|Slovakia#SK|name and something like a password hash|#!#|pixel|name|name-
PC|Windows 7|Connection Established|Intel(R) Pentium(R) M processor 1600MHz 1598MHz
|0,5|Not Available|Not Available||140|4.0|123456

Unknown #3 (16 unique IPs)

Two version numbers were seen: 0.7 and 1.2.

02|Dell@DELL-name|XP/Vista|TR|1700|N|t+1.2|1.2|-|

This analysis of a small sample of No-IP domains and their associated malware gives us a tiny peek into some, possibly forgotten, attack campaigns and how active they can be. While No-IP and other dynamic DNS hostnames shouldn’t automatically be assumed to be bad, we feel they warrant further scrutiny and attention if seen on your networks.

It should come as no surprise  that there is a lot of malware out there, in all sorts of shapes and sizes. Sinkholing is just another tool in the malware researcher’s toolbox for the endless task of classifying, analyzing, and mitigating the shadier half of the Internet. In the meantime, the ASERT team work continues on the sinkholing project. Goals include expanding the scope, automating collection and classification as much as possible, and, of course, integrating the data into the ATLAS portal.

********

 Appendix 1: Domains 

Between Nov 6-8:sparkles.no-ip.orgloucoservegame.no-ip.orgwinchesterhacker.no-ip.orgmoof1.no-ip.orgtotty46.no-ip.orgmmsalti.no-ip.orgmaradona.no-ip.org

chmsou.no-ip.org

notiweb.no-ip.org

diddy69.no-ip.org

juventus-nando.no-ip.org

hoolaco.no-ip.org

by-brunix.no-ip.org

bolinha130.no-ip.org

rathacking786.no-ip.org

123boof.no-ip.org

gabrielzinho.no-ip.org

warez-kw.no-ip.org

demone2011.no-ip.org

markinyourdark.no-ip.org

amine69.no-ip.org

turkoloko.no-ip.org

bilal182010.no-ip.org

tucanoquebrado.no-ip.org

 

Between Nov 9 – 12

ibraaaaaa.no-ip.org

darthlord1.no-ip.org

aljaybol.no-ip.org

aidsvlek.no-ip.org

nomanvirus.no-ip.org

xtrema.no-ip.org

nonozin.no-ip.org

lance11111.no-ip.org

y2c.no-ip.org

pequenoserver.no-ip.org

bcsmetall.no-ip.org

deus-chess25.no-ip.org

memea7.no-ip.org

hermogenes.no-ip.org

anonymousbs2.no-ip.org

wellcomemagila.no-ip.org

wolver.no-ip.org

romerohacker.no-ip.org

difusao.no-ip.org

6thekey2.no-ip.org

180291.no-ip.org

hackerdr.no-ip.org

revoli.no-ip.org

anon1.no-ip.org

xupeta.no-ip.org

 

 

Between Nov 13 – 15:k4b000.no-ip.orgadelson3x.no-ip.orgmuerteya.no-ip.orgbnbtx.no-ip.org6shades16.no-ip.orgchivas.no-ip.orgmarcus3.no-ip.org

ilkkan.no-ip.org

desgarrada.no-ip.org

axf.no-ip.org

darkki123.no-ip.org

avisos.no-ip.org

bobharis.no-ip.org

ooooffff1.no-ip.org

tratt1.no-ip.org

evilsniper.no-ip.org

cust0.no-ip.org

lavitaebella.no-ip.org

es-imvu.no-ip.org

merda2.no-ip.org

darkcometx.no-ip.org

dark-sam.no-ip.org

victima123.no-ip.org

z-666.no-ip.org

fzlmo0s3.no-ip.org

tounsi-vip.no-ip.org

 

Between Nov 16 – 19:

helli1.no-ip.org

shootersiker.no-ip.org

adsll.no-ip.org

slow-v4.no-ip.org

bolinha2012.no-ip.org

6avhosts.no-ip.org

gandhihaxx.no-ip.org

kareemsql.no-ip.org

thedarkdkpiteur.no-ip.org

norhdsss.no-ip.org

xtremecheese.no-ip.org

froozen.no-ip.org

xxtreme.no-ip.org

x-treme.no-ip.org

ohgkm.no-ip.org

hackers1337x.no-ip.org

smoke1.no-ip.org

n00bz0r.no-ip.org

drico-drica.no-ip.org

shades16.no-ip.org

wkrldi132.no-ip.org

6blackhatt.no-ip.org

khabran.no-ip.org

6serverstatus11.no-ip.org

celsodns.no-ip.org

 

 

 

Lessons learned from the U.S. financial services DDoS attacks

By: Arbor Networks -

By Dan Holden and Curt Wilson of Arbor’s Security Engineering & Response Team (ASERT)

During the months of September and October we witnessed targeted and very serious DDoS attacks against U.S. based financial institutions. They were very much premeditated, focused, advertised before the fact, and executed to the letter.

In the case of the September 2012 DDoS attack series, many compromised PHP Web applications were used as bots in the attacks. Additionally, many WordPress sites, often using the out-of-date TimThumb plugin, were being compromised around the same time. Joomla and other PHP-based applications were also compromised. Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools. Attackers connect to the compromised webservers hosting the tools directly or through intermediate servers/proxies/scripts and issue attack commands. In the September 2012 attacks there were several PHP based tools used, the most prominent of which was “Brobot” along with two other tools, KamiKaze and AMOS which were used a bit less often.  Brobot has also been referred to as “itsoknoproblembro”.

The attack tactics observered were a mix of application layer attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP and other IP protocols. The other obvious and uncommon factor at play was the launch of simultaneous attacks, at high bandwidth, to multiple companies in the same vertical.

On December 10, 2012 the group claiming responsibility for the prior attacks, the Izz ad-Din al-Qassam Cyber Fighters announced “Phase 2 Operation Ababil”.  A new wave of attacks were announced on their Pastebin page:  which described their targets as follows:

“Continually, the goals under attacks of this week are including: U.S. Bancorp, JPMorgan Chase&co, Bank of America, PNC Financial Services Group, SunTrust Banks, Inc.”

On December 11, 2012, attacks on several of these victims were observed. Some attacks looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2.

These attacks have shown why DDoS continues to be such a popular and effective attack vector. Yes, DDoS can take the form of very large attacks. In fact, some of this week’s attacks have been as large as 60Gbps. What makes these attacks so significant is not their size, but the fact that the attacks are quite focused, part of an ongoing campaign, and like most DDoS attacks quite public. These attacks utilize multiple targets, from network infrastructure to Web applications.

Lessons Learned

While there has been much speculation about who is behind these attacks, our focus is less on the who or why, but how we can successfully defend. There are multiple lessons to be learned from these attacks, by everyone involved – the targeted enterprises, their managed security providers, Website and Web application administrators, and the vendor community.

For enterprises, it is clear that typical perimeter defenses such as firewalls and IPS are not effective when dealing with DDoS attacks, as each technology inline to the target is actually a potential bottleneck. These devices can be an important part of a layered defense strategy but they were built for problems far different than today’s complex DDoS threat. Given the complexity of today’s threat landscape, and the nature of application layer attacks, it is increasingly clear that enterprises need better visibility and control over their networks which require a purpose built, on-premise DDoS mitigation solution. This could sound self-serving, however, visibility into a DDoS attack needs to be far better than the first report of your Website or critical business asset going down. Without real-time knowledge of the attack, defense and recovery becomes increasingly difficult.

For providers of managed security services, they have begun to evaluate their deployments and mitigation capacity. These attacks were unique in that they targeted multiple organizations within the same vertical, putting a strain on the capacity of provider’s cloud-based mitigation services.

What these attacks have continued to demonstrate is that DDoS will continue to be a popular and increasingly complex attack vector. DDoS is no longer simply a network issue, but is increasingly a feature or additional aspect of other threats. The motivation of modern attackers can be singular, but the threat landscape continues to become more complex and mixes various threats to increase the likelihood of success. There have certainly been cases where the MSSP was successful at mitigating against an attack but the target Website still went down due to  corruption of the underlying application and data. In order to defend networks today, enterprises need to deploy DDoS security in multiple layers, from the perimeter of their network to the provider cloud, and ensure that on-premise equipment can work in harmony with provider networks for effective and robust attack mitigation.

 

Snapshot: Syria’s Internet drops, returns

By: Darren Anstee -

The Arbor ATLAS system leverages Arbor Networks’ world-wide service provider customer base to gather data about Internet traffic patterns and threats.  Currently 246 of Arbor’s customers are actively participating in the Arbor ATLAS system, and are sharing data on an hourly basis. The data shared includes information on the traffic crossing the boundaries of participating networks, and the kinds of DDoS attacks they are seeing. The graph below shows the cumulative ‘total’ traffic ( to / from) Syria across all of these participating networks. This does not the total traffic into and out of Syria, this is simply a snapshot taken from the vantage point of 246 network operators around the world.

As you can see traffic dropped sharply at around 1730 in the graph below.  The low level could either indicate a reduction in traffic to / from Syria or an outage for less than an hour (as the data is at one hour granularity). The actual traffic interruption is likely to have occurred at around 1630, the graphs show traffic interruption an hour later than this due to the variable, hourly reporting from ATLAS participants to our servers.

Syria goes dark

By: Darren Anstee -

UPDATE: Syria’s back online

 

ORIGINAL POST

The ATLAS infrastructure leverages Arbor Networks’ world-wide service provider customer base to gather data about Internet traffic patterns and threats.  Currently 246 of Arbor’s customers are actively participating in the ATLAS program, and are sharing data on an hourly basis.

The data shared includes information on the traffic crossing the boundaries of participating networks, and the kinds of DDoS attacks they are seeing. The graph below shows the cumulative ‘total’ traffic ( to / from) Syria across all of these participating networks. This does not show the total traffic into and out of Syria, this is simply a snapshot taken from the vantage point of 246 network operators around the world. As you can see traffic drops to virtually nothing earlier on today.  The actual traffic interruption is likely to have occurred between 1000 and 1100 today, the graphs show traffic interruption an hour later than this due to the variable, hourly reporting from ATLAS participants to our servers.

(UPDATED: as of 5:50am ET on 12/1/12)

 

As a reminder, this is not the first time we have seen a complete cut off of Internet access in the Middle East. You may recall back in January 2011, something similar occurred in Egypt,

 

How likely is a DDoS Armageddon attack?

By: Carlos Morales -

The recent DDoS attacks against many of the North American financial firms had some unique characteristics that put a strain on the defenses in place and resulted in a number of well publicized service outages. The escalating threat is not new.  It’s been steadily building up over the last few years as botnet command and control has matured, the tools available to exploit those botnets have gone mainstream, and the cost of using the tools has plummeted.  What the attacks did do is raise the industry’s collective consciousness around how bad the situation has gotten.    The effectiveness of the attacks has changed the way that Internet operators, whether service provider, hosting provider, government or enterprise think about their defenses.   It has also raised a number of troubling questions.

The most common question that I have been asked is around the growing size of attacks and the capacity of Internet operators to withstand such threats.   How big does an attack have to be to overwhelm the biggest, most prepared financial company?   How big does an attack have to be to overwhelm the biggest and most prepared service provider?   Is there an Armageddon attack on the horizon that threatens to take down the entire Internet?  There are indications that this could be the case.

It should be noted that size is by no means the only means by which an attack can be effective.  It’s a very visible way of taking down a network similar to the way a 7 mile backup on a local highway is a visible sign that you’re not getting to your destination quickly.   Application layer attacks, IP protocol attacks, connection attacks and other stealthy attack methods can be just as effective in taking down a victim while being much more difficult to detect and mitigate.  The financial sector attacks were multi-vector and had aspects of both volumetric and application layer attack traffic.

This article is going to focus on larger sized attacks and the possibility of an Armageddon attack.   First, there are a few different measures of size including bandwidth (bps), packets (pps) and connections (cps).    In all three cases Internet operators such as enterprises will have a limit which they can handle.   Bps is the most commonly considered measure of size and it is easy to estimate network bandwidth limits.  If the internet operator has 10Gbps worth of upstream bandwidth, then attacks bigger than this will overwhelm the links.   Packet per second (pps) limits are more of a challenge to estimate limits because each device that is in-line with traffic will have limits in handling pps that will be dependent on the configurations that they are running and the type of traffic seen.   High pps attacks often cause more challenges than high bps attacks because multiple bottlenecks may exist on the network.     High cps attacks are typically targeted at stateful devices on the network that have a connection table.   These tend to be the harder to measure because network traffic analyzers tend to focus on just bps or pps.

With all three attack types, all enterprise, government and hosting provider networks will have bottlenecks that can be over-run relatively easily by big DDoS attacks.  Most enterprise and government datacenters have no more than 10 Gbps with some ranging slightly higher than this.   Arbor Network frequently sees attacks much larger than this.  As an example, Arbor’s ATLAS system receives anonymous attack statistics from hundreds of Arbor Peakflow SP deployments.   The largest bandwidth attacks measured in 2011 and 2012 were 101.4 Gbps and 100.8 Gbps respectively.   The largest packet per second attacks measured in 2011 and 2012 were 139.7 Mpps and 82.4 Mpps respectively.   Another source of data is the annual security survey of Internet operators that Arbor runs.   One of the survey questions is about the largest bps attacks seen over the previous year.    The chart below reflects that biggest attacks reported each year since the survey was first conducted in 2002.

Based on the data from the chart above, there have been DDoS attacks capable of overwhelming a 10 Gbps datacenter since 2005.   All this means that enterprises, governments and hosting providers need help from their upstream service providers to deal with threats of this magnitude.   Many of these providers offer managed security services that will provide protection against bigger attacks.   At a certain point, the attacks are big enough that the providers consider them their responsibility anyways because of the potential impact to multiple customers.  However, it’s heavily recommended to have an agreement in place to ensure SLAS and guaranteed response times.

That brings me back to the question on whether an Armageddon attack is possible that can not only overwhelm the end victim but also all the Internet providers in between.   Based on the current Internet environment, this is all too possible.   The first thing that you need to consider what the available bandwidth is to generate an attack.   There have been botnets discovered that have contained more than 1M infected hosts.   Assuming an average of 1 Mbps worth of upstream access per host, a conservative estimate based on the number of broadband subscribers, 4G and 3G users deployed in the world, a 1M host botnet could generate an attack of 1 Tbps.   Now what if this botnet and multiple other large botnets attack at the same time?   Service providers have a lot of bandwidth throughout their network but there are limits to how much traffic they can handle.   Attacks of that magnitude described would have profound effect on the Internet as a whole exploiting bottlenecks in many places simultaneously.  No single service provider, even the largest tier ones, would be able to handle all this traffic without adversely affecting their user base.

Is this possible?  It certainly seems so.  Is it likely?   It doesn’t seem so since it would affect everyone on the Internet and not just a single victim.   That said, many attacks that didn’t seem likely before are now becoming commonplace as motivations have shifted.   It is something that CSOs from within the carrier community are likely considering and hopefully taking steps to plan for the worst.

 

Go Back In Time →